[Oisf-users] Drops: From none to gigantic in the blink of an eye
Cooper F. Nelson
cnelson at ucsd.edu
Wed Mar 23 17:07:13 UTC 2016
I spent a week or so chasing down problems like this and it turned out
to be due to SYN floods (both inbound and outbound) from clients
participating in a DOS attack.
When this happens you won't see anything out-of-the ordinary on the
sensor, other than high CPU load and packet drops.
I put together some sigs to detect this, copied below. You may need to
tune the threshold settings for your network.
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS Unusually fast SYN packets inbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS Unusually fast SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
Btw, this isn't a guarantee as to what you are seeing. These sigs also
may put a high load on your sensor, so keep that in mind.
-Coop
On 3/23/2016 9:12 AM, Cloherty, Sean E wrote:
> Our Suricata installation went from normal to completely haywire
> overnight Tuesday. It was cruising along with very low packet loss
> (0.002%) when suddenly between 2:24 and 2:29 AM it began to grow
> extremely rapidly.
>
>
>
> So far ‘ve checked and
>
>
>
> - NIC stats for errors or drops are very few(at bottom of email)
>
> - There were no changes to server Tuesday AM to account for this
>
> - Network traffic just before and after exhibited no major
> change of volume.
>
> - No errors are visible in the messages file, or Suricata logs
> that appear out of the ordinary.
>
> - Since that time RAM usage and CPU utilization is much higher
> (no surprise)
>
>
>
> The most pertinent data is below or attached. Any input at all would be
> helpful to say the least . . .
>
>
>
>
>
>
>
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160323/1dcf1f50/attachment-0002.sig>
More information about the Oisf-users
mailing list